feat: private networking

Author: mweibel

.github/workflows/e2e-weekly.yml

@@ -37,11 +37,12 @@ jobs:
       - name: Run weekly e2e tests
         env:
           CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          CLOUDSCALE_NETWORK_UUID: ${{ secrets.CLOUDSCALE_NETWORK_UUID }}
           TAG: e2e-weekly-${{ github.sha }}
         run: |
-          make test-e2e \
-            GINKGO_LABEL_FILTER="ha || upgrade || self-hosted || kcp-remediation || conformance" \
-            KUBETEST_CONFIGURATION=./data/kubetest/conformance-fast.yaml
+           make test-e2e \
+             GINKGO_LABEL_FILTER="ha || upgrade || self-hosted || kcp-remediation || conformance || byo-networking" \
+             KUBETEST_CONFIGURATION=./data/kubetest/conformance-fast.yaml
 
       - name: Install regctl
         if: always()

.github/workflows/test-e2e.yml

@@ -18,6 +18,7 @@ on:
           - test-e2e-upgrade
           - test-e2e-self-hosted
           - test-e2e-md-remediation
+          - test-e2e-byo-networking
           - test-e2e-conformance
           - test-e2e-conformance-fast
 
@@ -53,6 +54,7 @@ jobs:
       - name: Run e2e tests
         env:
           CLOUDSCALE_API_TOKEN: ${{ secrets.CLOUDSCALE_API_TOKEN }}
+          CLOUDSCALE_NETWORK_UUID: ${{ secrets.CLOUDSCALE_NETWORK_UUID }}
           TAG: e2e-manual-${{ github.sha }}
           TEST_TARGET: ${{ github.event.inputs.test_target }}
         run: make $TEST_TARGET

Makefile

@@ -125,17 +125,20 @@ generate-e2e-cni: ## Regenerate Cilium CNI manifest from Helm chart
 generate-e2e-ccm: ## Regenerate cloudscale CCM manifest
 	@CCM_VERSION=$(CCM_VERSION) hack/generate-e2e-ccm.sh
 
+E2E_CLUSTER_TEMPLATES := cluster-template \
+	cluster-template-ha \
+	cluster-template-upgrades \
+	cluster-template-md-remediation \
+	cluster-template-byo-network \
+	cluster-template-public-lb-private-nodes \
+	cluster-template-fip
+
 .PHONY: generate-e2e-templates
 generate-e2e-templates: $(KUSTOMIZE) generate-e2e-cni generate-e2e-ccm ## Generate e2e cluster templates using kustomize overlays
 	@mkdir -p $(E2E_TEMPLATES)/main
-	@echo "Generating cluster-template.yaml..."
-	@"$(KUSTOMIZE)" build --load-restrictor LoadRestrictionsNone $(E2E_TEMPLATES)/cluster-template > $(E2E_TEMPLATES)/main/cluster-template.yaml
-	@echo "Generating cluster-template-ha.yaml..."
-	@"$(KUSTOMIZE)" build --load-restrictor LoadRestrictionsNone $(E2E_TEMPLATES)/cluster-template-ha > $(E2E_TEMPLATES)/main/cluster-template-ha.yaml
-	@echo "Generating cluster-template-upgrades.yaml..."
-	@"$(KUSTOMIZE)" build --load-restrictor LoadRestrictionsNone $(E2E_TEMPLATES)/cluster-template-upgrades > $(E2E_TEMPLATES)/main/cluster-template-upgrades.yaml
-	@echo "Generating cluster-template-md-remediation.yaml..."
-	@"$(KUSTOMIZE)" build --load-restrictor LoadRestrictionsNone $(E2E_TEMPLATES)/cluster-template-md-remediation > $(E2E_TEMPLATES)/main/cluster-template-md-remediation.yaml
+	@$(foreach tmpl,$(E2E_CLUSTER_TEMPLATES),\
+		echo "Generating $(tmpl).yaml..." && \
+		"$(KUSTOMIZE)" build --load-restrictor LoadRestrictionsNone $(E2E_TEMPLATES)/$(tmpl) > $(E2E_TEMPLATES)/main/$(tmpl).yaml &&) true
 	@echo "Templates generated successfully."
 
 .PHONY: generate-e2e-config
@@ -222,6 +225,19 @@ test-e2e-md-remediation: $(GINKGO) generate-e2e-templates generate-e2e-config do
 		-e2e.skip-resource-cleanup=$(SKIP_RESOURCE_CLEANUP) \
 		-e2e.use-existing-cluster=$(USE_EXISTING_CLUSTER)
 
+.PHONY: test-e2e-byo-networking
+test-e2e-byo-networking: $(GINKGO) generate-e2e-templates generate-e2e-config docker-build ## Run BYO networking e2e tests
+	$(GINKGO) -v --trace --tags=e2e \
+		--nodes=$(GINKGO_NODES) \
+		--label-filter="byo-networking" \
+		--timeout=90m \
+		--output-dir="$(E2E_ARTIFACTS_FOLDER)" --junit-report="junit.e2e_byo_networking.xml" \
+		./test/e2e -- \
+		-e2e.config=$(E2E_CONF_FILE) \
+		-e2e.artifacts-folder=$(E2E_ARTIFACTS_FOLDER) \
+		-e2e.skip-resource-cleanup=$(SKIP_RESOURCE_CLEANUP) \
+		-e2e.use-existing-cluster=$(USE_EXISTING_CLUSTER)
+
 .PHONY: test-e2e-conformance
 test-e2e-conformance: $(GINKGO) generate-e2e-templates generate-e2e-config docker-build ## Run K8s conformance e2e tests
 	$(GINKGO) -v --trace --tags=e2e \

README.md

@@ -8,8 +8,9 @@ for [cloudscale.ch](https://www.cloudscale.ch).
 
 ## Features
 
-- **CloudscaleCluster**: Network, Subnet, Load Balancer management
-- **CloudscaleMachine**: Server provisioning with cloud-init
+- **CloudscaleCluster**: Multi-network management (managed or BYO), Load Balancer (public or private VIP), Floating IP
+  support
+- **CloudscaleMachine**: Server provisioning with cloud-init and configurable network interfaces
 - **CloudscaleMachineTemplate**: Immutable machine templates for KubeadmControlPlane/MachineDeployment
 
 ## Prerequisites
@@ -42,6 +43,9 @@ clusterctl generate cluster my-cluster \
   | kubectl apply -f -
 ```
 
+This uses the default template (public nodes, managed network). See [Cluster Templates](#cluster-templates) for other
+network topologies.
+
 Watch the cluster come up:
 
 ```bash
@@ -50,15 +54,40 @@ clusterctl describe cluster my-cluster
 
 ## Environment Variables
 
-| Variable                                  | Description                    | Example                           |
-|-------------------------------------------|--------------------------------|-----------------------------------|
-| `CLOUDSCALE_API_TOKEN`                    | cloudscale.ch API token        | `abc123...`                       |
-| `CLOUDSCALE_SSH_PUBLIC_KEY`               | SSH public key added to nodes  | `ssh-ed25519 AAAA...`             |
-| `CLOUDSCALE_REGION`                       | cloudscale.ch region           | `lpg` or `rma`                    |
-| `CLOUDSCALE_MACHINE_IMAGE`                | Server image for nodes         | `custom:ubuntu-2404-kube-v1.xx.x` |
-| `CLOUDSCALE_CONTROL_PLANE_MACHINE_FLAVOR` | Flavor for control plane nodes | `flex-4-2`                        |
-| `CLOUDSCALE_WORKER_MACHINE_FLAVOR`        | Flavor for worker nodes        | `flex-4-2`                        |
-| `CLOUDSCALE_ROOT_VOLUME_SIZE`             | Root volume size in GB         | `50`                              |
+| Variable                                  | Description                               | Example                           |
+|-------------------------------------------|-------------------------------------------|-----------------------------------|
+| `CLOUDSCALE_API_TOKEN`                    | cloudscale.ch API token                   | `abc123...`                       |
+| `CLOUDSCALE_SSH_PUBLIC_KEY`               | SSH public key added to nodes             | `ssh-ed25519 AAAA...`             |
+| `CLOUDSCALE_REGION`                       | cloudscale.ch region                      | `lpg` or `rma`                    |
+| `CLOUDSCALE_MACHINE_IMAGE`                | Server image for nodes                    | `custom:ubuntu-2404-kube-v1.xx.x` |
+| `CLOUDSCALE_CONTROL_PLANE_MACHINE_FLAVOR` | Flavor for control plane nodes            | `flex-4-2`                        |
+| `CLOUDSCALE_WORKER_MACHINE_FLAVOR`        | Flavor for worker nodes                   | `flex-4-2`                        |
+| `CLOUDSCALE_ROOT_VOLUME_SIZE`             | Root volume size in GB                    | `50`                              |
+| `CLOUDSCALE_NETWORK_UUID`                 | Existing cloudscale.ch network UUID (BYO) | `2db69ba3-...`                    |
+
+> **Note:** `CLOUDSCALE_NETWORK_UUID` is required by the `fip`, `public-lb-private-nodes`, and `byo-network`
+> template flavors. It is not needed for the default template.
+
+## Cluster Templates
+
+CAPCS ships several cluster templates for different network topologies. Use `clusterctl generate cluster` with the
+`--flavor` flag to select one:
+
+```bash
+clusterctl generate cluster my-cluster \
+  --kubernetes-version v1.32.0 \
+  --control-plane-machine-count 1 \
+  --worker-machine-count 2 \
+  --flavor <flavor-name> \
+  | kubectl apply -f -
+```
+
+| Flavor                    | Network                   | CP Endpoint              | Node Connectivity | Extra Env Vars            | Notes                |
+|---------------------------|---------------------------|--------------------------|-------------------|---------------------------|----------------------|
+| *(default)*               | Managed (`10.100.0.0/24`) | Public LB (DualStack)    | Public + cluster  | —                         |                      |
+| `fip`                     | BYO                       | Floating IP (IPv4)       | Public + cluster  | `CLOUDSCALE_NETWORK_UUID` | No load balancer     |
+| `public-lb-private-nodes` | BYO + NAT                 | Public LB                | Private only      | `CLOUDSCALE_NETWORK_UUID` | Requires NAT gateway |
+| `byo-network`             | BYO                       | Public LB (DualStack)    | Public + cluster  | `CLOUDSCALE_NETWORK_UUID` |                      |
 
 ## Development
 
@@ -92,14 +121,16 @@ filtering and are split into suites of increasing cost, scheduled accordingly:
 | Cluster upgrade    | `upgrade`        | Rolling K8s version upgrade (v1.34 → v1.35)                                              | < 10 min  | Weekly   | `test-e2e-upgrade`          |
 | Self-hosted        | `self-hosted`    | clusterctl move (pivot) to workload cluster. Requires container image in public registry | < 15 min  | Weekly   | `test-e2e-self-hosted`      |
 | MD remediation     | `md-remediation` | MachineHealthCheck auto-replacement of unhealthy workers                                 | < 10 min  | Weekly   | `test-e2e-md-remediation`   |
+| BYO networking     | `byo-networking` | BYO network: public-LB + private-nodes and floating-IP variants                          | < 10 min  | Weekly   | `test-e2e-byo-networking`   |
 | Conformance (fast) | `conformance`    | K8s conformance, skip Serial tests                                                       | < 60 min  | Weekly   | `test-e2e-conformance-fast` |
 | Conformance (full) | `conformance`    | Full K8s conformance including Serial tests                                              | < 120 min | Biweekly | `test-e2e-conformance`      |
 
 Durations are approximate from a real CI run; conformance varies with cluster size.
 
 **Why this split?** The single-CP lifecycle test is the cheapest smoke test and runs
 nightly to catch regressions early. HA, upgrade, self-hosted, and remediation tests are more
-resource-intensive and run weekly. Full K8s conformance is the most expensive and runs biweekly
+resource-intensive and run weekly. Private networking tests require `CLOUDSCALE_NETWORK_UUID` to be set and are
+skipped otherwise. Full K8s conformance is the most expensive and runs biweekly
 (1st + 15th of month). All suites can be triggered manually via the `test-e2e.yml` workflow
 dispatch. E2E tests share a concurrency group so only one suite runs at a time.
 
@@ -143,6 +174,8 @@ kustomize_substitutions:
   CLOUDSCALE_WORKER_MACHINE_FLAVOR: "flex-4-2"
   CLOUDSCALE_MACHINE_IMAGE: "IMAGE_NAME"
   CLOUDSCALE_ROOT_VOLUME_SIZE: "50"
+  # Required for BYO network flavors (fip, public-lb-private-nodes, byo-network):
+  # CLOUDSCALE_NETWORK_UUID: "UUID_HERE"
 extra_args:
   cloudscale:
     - "--zap-log-level=5"

api/v1beta2/cloudscalecluster_types.go

@@ -28,6 +28,16 @@ const (
 	ClusterFinalizer = "cloudscalecluster.infrastructure.cluster.x-k8s.io"
 )
 
+// IPFamily represents an IP family configuration.
+// +kubebuilder:validation:Enum=IPv4;IPv6;DualStack
+type IPFamily string
+
+const (
+	IPFamilyIPv4      IPFamily = "IPv4"
+	IPFamilyIPv6      IPFamily = "IPv6"
+	IPFamilyDualStack IPFamily = "DualStack"
+)
+
 // CloudscaleClusterSpec defines the desired state of CloudscaleCluster
 type CloudscaleClusterSpec struct {
 	// Region is the cloudscale.ch region (e.g., "rma", "lpg").
@@ -45,17 +55,30 @@ type CloudscaleClusterSpec struct {
 	CredentialsRef CloudscaleCredentialsReference `json:"credentialsRef"`
 
 	// ControlPlaneEndpoint represents the endpoint to communicate with the control plane.
-	// This is set automatically from the load balancer's VIP address.
+	// This is set automatically from the load balancer's VIP address or floating IP.
 	// +optional
 	ControlPlaneEndpoint clusterv1.APIEndpoint `json:"controlPlaneEndpoint,omitzero"`
 
-	// Network contains network configuration for the cluster.
+	// Networks define the private networks for this cluster.
+	// Referenced by name from machine interface specs and LB config.
+	// If empty, defaults to a single managed network named after the cluster.
+	// +listType=map
+	// +listMapKey=name
 	// +optional
-	Network NetworkSpec `json:"network,omitzero"`
+	Networks []NetworkSpec `json:"networks,omitempty"`
 
 	// ControlPlaneLoadBalancer configures the load balancer for the control plane.
 	// +optional
 	ControlPlaneLoadBalancer LoadBalancerSpec `json:"controlPlaneLoadBalancer,omitzero"`
+
+	// FloatingIP configures a floating IP for a stable control plane endpoint.
+	// When the load balancer is enabled (recommended), the floating IP is assigned
+	// to the LB, providing a stable IP that survives LB recreation.
+	// When using a BYO floating IP without a load balancer, the user must
+	// configure a dummy interface on the control plane servers (see cloudscale.ch docs).
+	// Managed floating IPs require the load balancer to be enabled.
+	// +optional
+	FloatingIP *FloatingIPSpec `json:"floatingIP,omitempty"`
 }
 
 // CloudscaleCredentialsReference references a Secret containing the API token.
@@ -69,28 +92,43 @@ type CloudscaleCredentialsReference struct {
 	Namespace string `json:"namespace,omitempty"`
 }
 
-// NetworkSpec defines the network configuration.
+// NetworkSpec defines a private network for the cluster.
+// Exactly one of UUID or CIDR must be specified.
 type NetworkSpec struct {
-	// CIDR is the CIDR block for the private network subnet.
-	// +kubebuilder:default="10.0.0.0/24"
+	// Name identifies this network within the cluster.
+	// Used to reference this network from machine interface specs and LB config.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Pattern=`^[a-z0-9]([a-z0-9-]*[a-z0-9])?$`
+	// +kubebuilder:validation:MaxLength=63
+	Name string `json:"name"`
+
+	// UUID references an existing cloudscale.ch network (BYO).
+	// The network is not deleted on cluster teardown.
+	// Mutually exclusive with CIDR.
+	// +optional
+	UUID string `json:"uuid,omitempty"`
+
+	// CIDR defines the subnet for a controller-managed network.
+	// The network and subnet are created and deleted by CAPCS.
+	// Mutually exclusive with UUID.
 	// +optional
 	CIDR string `json:"cidr,omitempty"`
 
 	// GatewayAddress is the gateway IP address for the subnet.
-	// By default, no gateway is configured on the private network subnet. This ensures
-	// that outbound internet traffic uses the public network interface, which is required
-	// for the Cloud Controller Manager to reach the cloudscale.ch API.
+	// Only applicable when CIDR is set (managed network).
+	// By default, no gateway is configured on the subnet. This ensures
+	// that outbound internet traffic uses the public network interface.
 	// Set this to a specific IP address (e.g., "10.0.0.1") only if you have configured
 	// a NAT gateway or similar infrastructure on the private network.
 	// +optional
-	GatewayAddress *string `json:"gatewayAddress,omitempty"`
+	GatewayAddress string `json:"gatewayAddress,omitempty"`
 }
 
 // LoadBalancerSpec defines the load balancer configuration for the control plane.
 type LoadBalancerSpec struct {
 	// Enabled controls whether a load balancer is created for the control plane.
 	// Set to false for external control planes (e.g., hosted control plane) where the endpoint
-	// is provided externally.
+	// is provided externally, or when using a floating IP without a load balancer.
 	// +kubebuilder:default=true
 	// +optional
 	Enabled *bool `json:"enabled,omitempty"`
@@ -113,6 +151,17 @@ type LoadBalancerSpec struct {
 	// +optional
 	APIServerPort int32 `json:"apiServerPort,omitempty"`
 
+	// Network places the LB VIP on a private network (internal LB).
+	// References spec.networks[].name. Omit for a public LB.
+	// +optional
+	Network string `json:"network,omitempty"`
+
+	// IPFamily specifies the IP family for the LB VIP address(es).
+	// +kubebuilder:validation:Enum=IPv4;IPv6;DualStack
+	// +kubebuilder:default=DualStack
+	// +optional
+	IPFamily IPFamily `json:"ipFamily,omitempty"`
+
 	// HealthMonitor configures the load balancer health monitor.
 	// +optional
 	HealthMonitor HealthMonitorSpec `json:"healthMonitor,omitempty"`
@@ -149,19 +198,38 @@ type HealthMonitorSpec struct {
 	DownThreshold int `json:"downThreshold,omitempty"`
 }
 
+// FloatingIPSpec configures a floating IP for the control plane endpoint.
+// Exactly one of IPFamily or UUID must be specified.
+type FloatingIPSpec struct {
+	// IPFamily creates a new floating IP with this IP version.
+	// A floating IP is a single address, so DualStack is not valid here.
+	// Mutually exclusive with UUID.
+	// +kubebuilder:validation:Enum=IPv4;IPv6
+	// +optional
+	IPFamily *IPFamily `json:"ipFamily,omitempty"`
+
+	// UUID references an existing floating IP (BYO).
+	// The floating IP is not deleted on cluster teardown.
+	// Mutually exclusive with IPFamily.
+	// +optional
+	UUID string `json:"uuid,omitempty"`
+}
+
 // CloudscaleClusterStatus defines the observed state of CloudscaleCluster.
 type CloudscaleClusterStatus struct {
 	// Initialization contains v1beta2 initialization tracking.
 	// +optional
 	Initialization *ClusterInitializationStatus `json:"initialization,omitempty"`
 
-	// NetworkID is the cloudscale.ch network UUID.
+	// Networks track the status of each network defined in spec.networks.
+	// +listType=map
+	// +listMapKey=name
 	// +optional
-	NetworkID string `json:"networkID,omitempty"`
+	Networks []NetworkStatus `json:"networks,omitempty"`
 
-	// SubnetID is the cloudscale.ch subnet UUID.
+	// FloatingIP is the cloudscale.ch floating IP.
 	// +optional
-	SubnetID string `json:"subnetID,omitempty"`
+	FloatingIP string `json:"floatingIP,omitempty"`
 
 	// LoadBalancerID is the cloudscale.ch load balancer UUID.
 	// +optional
@@ -184,20 +252,30 @@ type CloudscaleClusterStatus struct {
 	LoadBalancerMemberIDs []string `json:"loadBalancerMemberIDs,omitempty"`
 
 	// conditions represent the current state of the CloudscaleCluster resource.
-	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
-	//
-	// Standard condition types include:
-	// - "Available": the resource is fully functional
-	// - "Progressing": the resource is being created or updated
-	// - "Degraded": the resource failed to reach or maintain its desired state
-	//
-	// The status of each condition is one of True, False, or Unknown.
 	// +listType=map
 	// +listMapKey=type
 	// +optional
 	Conditions []metav1.Condition `json:"conditions,omitempty"`
 }
 
+// NetworkStatus tracks the provisioned state of a single network.
+type NetworkStatus struct {
+	// Name matches the logical name from spec.networks[].name.
+	Name string `json:"name"`
+
+	// NetworkID is the cloudscale.ch network UUID.
+	// +optional
+	NetworkID string `json:"networkID,omitempty"`
+
+	// SubnetID is the cloudscale.ch subnet UUID.
+	// +optional
+	SubnetID string `json:"subnetID,omitempty"`
+
+	// Managed indicates whether CAPCS manages this network's lifecycle.
+	// false for BYO networks (referenced by UUID), true for CAPCS-created networks (defined by CIDR).
+	Managed bool `json:"managed"`
+}
+
 // ClusterInitializationStatus contains v1beta2 initialization tracking for CloudscaleCluster.
 type ClusterInitializationStatus struct {
 	// Provisioned indicates that all cluster infrastructure has been provisioned.
@@ -206,6 +284,16 @@ type ClusterInitializationStatus struct {
 	Provisioned *bool `json:"provisioned,omitempty"`
 }
 
+// GetNetworkStatus returns the NetworkStatus for the given network name, or nil if not found.
+func (s *CloudscaleClusterStatus) GetNetworkStatus(name string) *NetworkStatus {
+	for i := range s.Networks {
+		if s.Networks[i].Name == name {
+			return &s.Networks[i]
+		}
+	}
+	return nil
+}
+
 // +kubebuilder:object:root=true
 // +kubebuilder:subresource:status
 // +kubebuilder:resource:path=cloudscaleclusters,scope=Namespaced,categories=cluster-api